No need to decide, a simple solution exists!
In a nuthshell, allow only key based logins, and use the ForceCommand option in sshd_config to force PAM authentication.
The user than has to have a key to login, but after they login, they are forced to authenticate via PAM, regardless of whether their key is password protected!
Full procedure in this blog post
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds